Open ZhangZhuoSJTU opened 5 years ago
Thank you very much. And may I ask for your help to address this issues. Could you please contribute a pull request to handle this bug?
For Reference: With file 5.36 I'm getting this output
$ file -v
file-5.36
magic file from /etc/magic:/usr/share/misc/magic
$ file pie
pie: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1d677eb3a12c5b5fe6d135fe815efde29474e5ad, not stripped
Is there any plan to address this ? Please note that CVE-2019-13125 was assigned to this issue. Thanks in advance @f0wl @jingleyang
Current, HaboMalHunter uses
file
command output to check whether target is executable here. However,file
command would regard any executable complied with PIE asshared object
.That means HoboMalHunter would not run dynamic analysis for any malware compiled with PIE.
Example
Following are two executables from the same source code and compiled w/ and w/o "-no-pie" flag.
Compiled with PIE
pie.zip
Analysis result of Habo is available here
Compiled without PIE
nopie.zip
Analysis result of Habo is available here